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Research  Objectives 

Program  verification  has  frequently  been  suggested  as  a tool  for 
improving  software  reliability.  The  purpose  of  this  research  is  to 
develop  verification  techniques  that  can  be  applied  to  complex  program 
systems  involving  concurrency,  such  as  operating  systems  and  network 
communications  managers. 

Two  complementary  approaches  have  been  pursued.  The  first  is  the 
development  of  basic  tools  for  describing  and  verifying  concurrent 
programs;  the  aim  is  to  find  ways  of  reducing  the  complexity  which  arises 
from  concurrent  interactions  between  the  components  of  the  system.  These 
tools  are  general  purpose  and  should  be  applicable  to  a wide  range  of 
problems.  The  second  approach  is  the  investigation  of  specific  applications 
by  analyzing  algorithms  and  programs  from  such  domains  as  operating  systems, 
networks,  and  distributed  databases.  These  program  examples  provide  test 
cases  for  evaluating  the  power  of  the  basic  tools  and  help  to  identify 
problem  areas  where  further  basic  work  is  needed.  In  addition,  analysis 
of  these  programs  often  makes  it  possible  to  recognize  common  patterns  and 
formulate  rules  that  simplify  the  design  and  verification  of  program  com- 
ponents that  fit  these  patterns. 

Status  of  the  Research  Effort 

1.  Basic  tools 

Our  purpose  here  is  to  devise  general-purpose  specification,  and  p.roof 
methods  for  concurrent  programs.  Two  types  of  correctness  criteria  can  be 
distinguished:  invariant  properties,  which  should  be  true  throughout  system 
execution,  and  liveness  constraints,  which  require  that  certain  events  must 
eventually  occur.  For  example,  an  airline  reservation  system  might  preserve 
the  invariant  that  no  flight  is  overbooked  and  guarantee,  as  a liveness 


constraint,  that  each  request  for  a reservation  is  eventually  answered. 

Our  techniques  for  dealing  with  the  two  kinds  of  problems  are  discussed 
below.  In  both  cases,  we  are  concerned  with  managing  the  complexity  of 
the  verification  process,  and  so  favor  modular  methods  that  allow  factoring 
the  verificaiton  of  a system  into  relatively  independent  treatment  of  each 
component. 

First,  let  us  consider  the  proof  of  invariant  properties.  Concurrent 
programs  can  be  constructed  using  three  kinds  of  modules:  processes  ( the 
active  components  ),  monitors  ( which  implement  shared  data  objects  and 
operations)  and  compound  modules  constructed  from  other  modules.  We  have 
developed  a specification  format  in  which  each  module  is  described  by 
assertions  giving  its  initial  state,  its  requirements  from  other  modules, 
invariant  relations  between  its  local  variables,  and  effects  of  its 
procedures  ( if  it  has  any  ).  Verification  rules  for  proving  that  a module 
implementation  meets  its  specifications  take  several  forms.  For  process  and 
monitor  modules,  verification  requires  direct  analysis  of  the  program  code. 
Because  of  the  specification  style,  this  step  is  in  general  no  more  complex 
than  for  a non-concurrent  program.  For  compound  modules,  verification  depends 
only  on  the  specification  of  the  components,  and  not  on  their  implementation. 
Since  each  module  verification  is  performed  independently,  and  the  effect  of 
interactions  between  components  is  limited  to  a small,  well-defined  inter- 
face, the  complexity  of  the  system  proof  does  not  grow  unmanageably  as  the 
size  of  the  system  increases. 

The  basic  rules  for  proving  invariant  properties  are  presented  in 
[1],  In  [2],  the  rules  are  amplified  and  illustrated  by  the  design  and 
verification  of  a simple  system  for  routing  mail  in  a ring  network. 

This  method  of  specifying  and  verifying  Invariant  properties  is  adequate 


for  a wide  range  of  concurrent  programs.  Our  work  on  liveness  properties 
is  at  an  earlier  stage,  but  the  initial  result  are  promising.  Our  approach 
is  based  on  temporal  logic,  in  which  one  can  express  assertions  about 
future  program  states.  This  is  accomplished  by  introducing  two  symbols: 

^(eventually)  and  Q(henceforth).  The  liveness  requirements  of  the 
airline  reservations  system  described  above  can  be  expressed  in  temporal 
logic  by: 

□ (request  R received  *♦  request  R answered). 
Previously,  the  statement  and  verification  of  liveness  properties  has  been 
done  quite  imformally.  As  a result,  correctness  proofs  have  been  very 
susceptible  to  ambiguities  in  the  problem  statement  and  to  errors  of 
reasoning.  The  main  contribution  of  temporal  logic  is  that  it  provides  a 
precise  means  of  stating  and  proving  liveness  requirements. 

The  use  of  temporal  logic  in  describing  and  verifying  small  programs 

is  described  in  [6].  The  methods  presented  there,  however,  are  not  suitable 

for  large  programs  because  they  do  not  provide  for  modular  decomposition. 

To  facilitate  modular  proofs,  we  propose  to  extend  the  specifications  of  a 

module  to  include  one  or  more  conditional  promises  of  the  form 

if  P then<£>Q  unless  delayed  by  D, 

where  P,  Q,  and  0 are  assertions  about  the  program  state. 

As  an  example,  consider  a pipeline  of  processes  communicating  through 

buffers.  Process  Pj,  which  moves  data  from  buffer  to  buffer  Bf, 

might  have  the  following  specifications: 

lOBi-]  not  full  unless  delayed  by  Bj  full 

2.  if  x is  in  Bj-i,  then  0^i(xi)  ®i  unless 

delayed  by  Bi  full 


Verifying  that  a module  implemented  by  a process  or  monitor  meets  its 
liveness  promises  depends  on  axioms  that  characterize  the  liveness  properties 
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of  programming  language  statements  ( the  properties  of  synchronizing 
operations  like  semaphore  wait  and  signal  are  especially  important), 

Far  compound  modules,  the  liveness  of  the  whole  module  can  be  verified 
using  just  the  specifications  of  its  components.  For  example,  in  the 
pipeline  program,  the  entire  system  of  processes  and  buffers  satisfies 
the  unconditional  promise. 

if  x in  B0  then^f^  (fk_j...(fj  (x) . . . ) is  in  B^ 

The  proof  of  this  unconditional  system  promise  involves  showing  that 
Pf's  promise  to  remove  items  from  Bf-i  cancels  out  Pj-i's  delay 
condition.  Proof  rules  for  verifying  promises  of  the  sort  are  currently 
being  developed. 

2.  Applications 

We  have  investigated  the  design  and  verification  of  concurrent  systems 
In  three  applications  areas:  operating  systems,  network  communications 
protocols,  and  distributed  databases.  The  work  in  each  area  is  described 
below. 

In  operating  systems,  we  have  considered  the  design  of  an  operating 
system  nucleus;  most  of  this  work  is  described  in  the  first  annual  report. 

An  important  result  was  the  identification  of  two  patterns  that  account 
for  most  operating  system  modules:  the  transmitter,  which  produces  a stream 
of  output  values  from  a stream  of  input  values,  and  the  resource  allocator, 
which  manages  the  sharing  of  some  object  between  competing  modules. 
Verification  methods  for  these  module  types  are  described  in  [2]  and  [3]. 

Deadlock  avoidance  Is  a particular  problem  for  resource  allocators, 
and  we  have  investigated  it  in  some  detail.  A variety  of  deadlock-avoidance 
strategies  have  been  proposed  in  the  literature.  They  have  in  common  the 
property  that  deadlock  is  prevented  by  refusing  to  allocate  resource  if 
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doing  so  leads  to  an  "unsafe"  state:  one  in  which  further  resource 
requests  might  result  in  deadlock.  The  strategies  differ  in  the  amount 
of  computation  they  preform  in  evaluating  a request  and  in  the  amount  of 
information  they  require  about  future  resource  requests  from  the  competing 
modules."  In  general,  a strategy  that  performs  more  computation  or  uses 
more  information  about  resource  needs  can  recognize  a larger  number  of 
requests  as  "safe",  and  so  impose  less  delay  on  the  competing  modules.  We 
have  developed  a model  that  allows  a precise  characterization  and  comparison 
of  these  differences;  analysis  of  the  model  has  suggested  extensionsthat 
improve  the  performance  of  previous  algorithms.  This  work  is  reported  in  [5]. 

The  second  application  area  we  have  studied  is  network  communication 
protocols.  Here  most  of  the  modules  are  instances  of  the  same  transmitter 
patter  that  occurs  so  often  in  operating  systems.  The  principle  difference 
is  that  communication  protocols  must  function  correctly  even  in  the  presence 
of  processor  failures  and  transmission  line  errors.  We  can  incorporate 
these  failure  possibilities  into  the  verification  in  a straightforward 
manner.  For  example,  the  invariant  of  a perfect  communication  link  is  that 
the  output  it  has  delivered  is  an  initial  segment  of  the  input  it  has  received. 
A communication  link  which  may  lose  or  re-order  messages  is  characterized  by 
an  invariant  that  states  that  its  output  is  a permutation  of  a subsequence 
of  its  input.  The  liveness  promise  of  a failure-free  link  is  that  each 
input  value  will  eventually  be  output,  while  the  promise  of  a link  which 
can  lose  a message  a bounded  number  of  times  is  that  a message  which  appears 
a sufficient  number  of  times  in  the  input  will  eventually  reach  the  output. 

We  have  found  that  our  techniques  for  verifying  invariants  are  satisfactory 
In  this  application.  Work  is  in  progress  to  find  powerful  means  of  dealing 
with  liveness  in  order  to  cope  with  the  liveness  characteristics  of  unreliable 
modules. 
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The  final  application  area  we  have  considered  is  distributed  data- 
bases. Here  the  issue  of  concern  is  maintaining  the  consitency  of  multiple 
copies  of  data  while  allowing  access  from  several  users  to  take  place  con- 
currently. A new  consistency  control  algorithm  has  been  developed  [4];  it 
uses  a distinguished  "true  copy"  of  each  data  item  which  is  the  locus  of 
locking  for  that  data  item.  The  true  copy  may  migrate  throughout  the 
system,  and  may  be  split  into  multiple  "shared  copies"  that  can  be  read 
but  not  modified.  This  allows  concurrent  operation,  with  a lower  overhead 
of  messages  than  many  existing  algorithms.  Work  is  in  progress  to  make  the 
algorithms  resilient  in  the  face  of  failures.  The  consistency  of  the  true- 
copy  algorithm  is  easy  to  verify.  It  does  not  depend  on  the  use  of  a par- 
ticular policy  for  avoiding  deadlocks  or  resolving  competing  resource 
demands,  so  it  can  serve  as  a basis  for  a variety  of  schemes  whose  consis- 
tency will  then  be  easily  verified. 

The  consistency  criterion  required  of  distributed  databases  is  an  example 
of  an  invariant  property,  which  we  are  well  equipped  to  verify.  Proving 
liveness  is  more  difficult,  especially  when  reliable  service  in  the  presense 
of  errors  is  required.  It  seems  likely  that  the  tools  being  developed  for 
communication  protocols  will  also  be  useful  for  distributed  database  systems. 

Over  all,  our  experience  in  examining  applications  problems  has  been 
fruitful.  It  confirms  our  belief  that  the  basic  tools  for  dealing  with 
invariants  are  now  satisfactory,  although  there  is  still  work  to  be  done  in 
deriving  techniques  tailored  to  particular  applications.  In  verifying  live- 
ness, we  are  at  an  earlier  stage.  The  most  pressing  problem  is  to  find 
methods  of  dealing  with  resilient  systems  that  must  provide  service  in  spite 
of  component  failures. 
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this  research  project  is  concerned  with  methods  for  developing 
provably  correct  system  programs.  Two  complementary  approaches  have 
been  pursued.  The  first  is  the  development  of  basic,  tools  for  de- 
scribina  and  verifying  concurrent  programs;  the  aim  is  to  find  ways 
of  managing  the  complexity  which  arises  from  concurrent  interactions 
between  system  components.  Specification  and  proof  methods  for  in- 
variant properties  of  modular  programs  have  been  developed.  They 
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sufficient  basis  for  reasoning  about  a wide  class  of  concurrent 
systems.  Tools  for  stating  and  verifying  other  types  of 
requirements,  e.g.  that  a message  is  eventually  delivered,  are  in 
an  earlier  stage.  Techniques  have  been  designed  that  use  .temporal 
logic,  a logical  system  that  allows  statements  about  future  events. 


The  second  approach  that  has  been  taken  here  is  the  investigation 
of  specific  problems  in  three  applications  areas:  operating  systems,  j 
network  communication  protocols,  and  distributed  databases.'  In 
addition  to  providing  test  cases  for  evaluating  the  basic  tools, 
these  applications  are  important  in  their  own  right.  It  has  been 
possible  to  identify  common  patterns,  and  to  build  more  sophisticated 
techniques  for  handling  them  from  the  basic  tools  discussed  above. 

A major  issue  in  these  applications  is  dealing  with  unreliable 
components,  and  preliminary  descriptions  of  methods  for  treating 
component  failure  are  discussed. 
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